Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

secmartin writes "Dan Bernstein has just admitted that a security issue has been found in the djbdns software, one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns to be poisoned using just a single packet. Other researchers have found a separate issue that allows dnscache, the DNS cache that is also part of the djbdns package, to be poisoned within just 18 minutes when using the default configuration. Anyone using djbdns is strongly encouraged to patch their servers immediately."
Reader emad contributes a link to the djbdns mailing list post containing both a patch and a sample exploit, and adds: "In the words of Dan Kaminsky (of recent DNS security fame): 'However, Dempsky's bug in djb's tinydns is way more surprising, if only because ... holy crap, he pulled an exploitable scenario out of THAT?!'"

Well actually, in this case, he seems to be having a better attitude; he's confirmed that there is a real issue, and even links to Dempsky's patch. So there appears to be some improvement here, which was one of the reasons I submitted this to slashdot!

Me too. DJBs documentation and configuration approach is also highly confusing. I have run Qmail for 4 years now on what used to be my main machine. When it runs, it runs fine, but it was a real adventure getting there. For new intallations I now use Postfix. Far, far less obscure to configure.

The oder problem with DJBs software that actually broke thing, is his ideas about time handling. I had to drop his ntp software because of that.

My bottom line is that with regard to security and stability DJBs stuff i

I hear that DJB never visits his father for years at a stretch. What does that tell you about his upbringing?

Yeah, well, I heard that he eats babies. If you want to smear the guy's reputation go with the part that most people here actually care about: his work. There's ample opportunity in that department to bash him, sometimes even rightly so.

I've met him, he was a proffessor at my university when I was an undergrad, he used to help the math club practice for taking the Putnam exam. He's actually a fairly nice guy when you meet him in person.

He's a collage professor. If he "listened" his head would explode from all the bad information he receives from young college students that think they know everything.

It's survival instinct to stop listening once you become a teacher, otherwise the results could be catastrophic. The teacher could become aware that all the students are idiots that make garden snails look like PhD candidates and attempt mass murder of the student body.

News Flash: Teacher listens to students and climbs bell tower with high pow

To be fair, Windows is probably proportionally about as much larger than (the default install of) OpenBSD as OpenBSD is than DJBDNS.

So you ought to allow Windows about 9 vulnerabilities in that time;-)

Seriously though, I wonder what sort of rate expected number of vulnerabilities should increase with respect to size of a codebase, given somehow equivalent levels of "correctness". Intuitively, i suspect it'd be at least O(size^2), if not much, much faster.

Since I'm one of the admins who's enjoyed having an vulnerability-free djbdns installation for years, I thought I'd look more into the vuln.

Say what you will about DJB, other than being seemingly ornery he appears to be forthright and focused on correctness. In under a week he confirms the vuln and posts a patch and awards the security guarantee money. This is the kind of behavior I want from the people who build my software. http://article.gmane.org/gmane.network.djbdns/13864 [gmane.org]

Here's the bug:

If the administrator of example.com publishes the example.com DNS datathrough tinydns and axfrdns, and includes data for sub.example.comtransferred from an untrusted third party, then that third party cancontrol cache entries for example.com, not just sub.example.com.

How many of you are running domains like this? It's not something I need to bother patching for. Ah, I guess that's another great thing about the relative rarity of bugs. If one is found it's less likely to be relevant for your particular situation.

The article submitter says:

"Anyone using djbdns is strongly encouraged to patch their servers immediately."

The next release of djbdns will be backed by a new security guarantee.In the meantime, if any users are in the situation described above,those users are advised to apply Dempsky's patch and requested to acceptmy apologies.

He's apologizing. How's that for forthright behavior? He's not being evasive. He's not pointing fingers. He's owning up to personal error, and expressing what appears to be compunction. For one bug in a decade.

Yeah, tell me how you don't like his attitude. I think it's fine.

Mr. Bernstein, good work I say. Thank you very much for your efforts and skill and honesty.

As I'm very interested in knowing the truth of claims regarding Bernstein's misbehavior, it would help me very much if you could point to specific quotes or actions of his that show "complete denial" and being "disingenuous". Thanks!

Have a look at the article, there's a short summary about the qmail issue. In short, there was a security issue, but because it can only be exploited if qmail was assigned gigabytes of memory (the bug involved a 32-bit memory address), DJB didn't think it was an actual issue.

To quote: Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmailâ(TM)s assumption that allocated array lengths fit comfortably into 32 bits.

Oh, that's what you mean by "complete denial". I thought you meant denial as in

Denial is a defense mechanism postulated by Sigmund Freud, in which a person is faced with a fact that is too uncomfortable to accept and rejects it instead, insisting that it is not true despite what may be overwhelming evidence.

I didn't realize you meant it in the simple sense of "to state that something is not true".

But maybe you actually do mean the defense mechanism version? I guess then that there would have to be overwhelming evidence. Do you see it as likely or possible that qpopd would be given 4 GB of (even virtual) memory? I'm not familiar with how it's normally run. Anyone?

I have to agree there, as a user of tinydns/dnscache, this bug doesn't affect me because I don't let other people serve their records from my install of DJBDNS. If I did, I'd likely ask them for a 'data' file, look it over manually and manually install it. yeah it's more of a PITA than AXFR, but for my needs it is fine.

Even the other bug with the 200 outstanding requests for a record would be problematic to exploit on my network, since I only allow trusted computers on my network and you have to be on my

I had to check to make sure you weren't my old boss! A place I worked about a year ago did that. Our systems automatically registered hosted domain names and dropped the list of subdomains into our database. A cron job pulled records from there, generated the data file, compiled it and told tinydns to reload it.

I really appreciated djbdns's data format after having dealt with BIND at my last job. I remember it being disturbingly finicky about its input--there are plenty of ways to kill your DNS server if, f